Snort mailing list archives
Re: Force a server to send fragments?
From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 02 Apr 2002 15:14:33 -0800
You may be able to configure it to run through fragrouter. I've only worked with it in the other direction. http://www.securityfocus.com/data/tools/fragrouter-1.6.tar.gz -Joe M. -- Joe McAlerney Silicon Defense: IDS Solutions "Sheahan, Paul (PCLN-NW)" wrote:
I want to see if any TCP experts out there know the answer to this. In Snort, I have seen many hosts send many fragmented TCP packets (MF bit set, no src or dst port) to a server, and occasionally have that server respond with a fragmented TCP packet instead of a standard TCP packet. Normally with native TCP, all responses from any server are standard-sized, unfragmented packets regardless of what type of packets are being received. So if a server is receiving fragmented packets from a host or standard unfragmented packets from a host, regardless, it always replies back with standard-sized, unfragmented TCP packets during a TCP session. Well during testing, I've been able to send fragmented TCP packets to a server, and have it reply back with fragmented packets (MF bit is set and there are no src or dst ports). An example trace where I saw this is below. I was wondering if it's possible to force a server to generate fragmented packets like this? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/27-21:10:03.975761 internal_server -> unknown_internet_host TCP TTL:51 TOS:0x0 ID:14447 IpLen:20 DgmLen:52 MF Frag Offset: 0x0 Frag Size: 0x20 .P..\.K>\.K>.."8................ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Thanks _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Force a server to send fragments? Sheahan, Paul (PCLN-NW) (Apr 02)
- Re: Force a server to send fragments? Joe McAlerney (Apr 02)